Search

Subscribe

Lavabit E-Mail Service Shut Down

Lavabit, the more-secure e-mail service that Edward Snowden -- among others -- used, has abruptly shut down. From the message on their homepage:

I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit. After significant soul searching, I have decided to suspend operations. I wish that I could legally share with you the events that led to my decision. I cannot....

This experience has taught me one very important lesson: without congressional action or a strong judicial precedent, I would strongly recommend against anyone trusting their private data to a company with physical ties to the United States.

In case something happens to the homepage, the full message is recorded here.

We see the writing the wall, and we have decided that it is best for us to shut down Silent Mail now. We have not received subpoenas, warrants, security letters, or anything else by any government, and this is why we are acting now.

This illustrates the difference between a business owned by a person, and a public corporation owned by shareholders. Ladar Levison can decide to shutter Lavabit -- a move that will personally cost him money -- because he believes it's the right thing to do. I applaud that decision, but it's one he's only able to make because he doesn't have to answer to public shareholders. Could you imagine what would happen if Mark Zuckerberg or Larry Page decided to shut down Facebook or Google rather than answer National Security Letters? They couldn't. They would be fired.

When the small companies can no longer operate, it's another step in the consolidation of the surveillance society.

Comments

I'm tired of this. Can't we in the security community bring up a secure email, chat, and web portal service in a censorship/surveillance free country? I'm not sure which country would be best, Chile? Estonia? Who will stand up against the US?

Then comes the second problem: funding. I don't have enough to bring up my own data center.

There is one thing I'm sure of and that is that this has to stop right here right now!

Levison says "he can't legally share the reasons" for shuttering his email service. In the case of NSLs can he even legally share the fact that he can't legally share the reasons? Or legally share the fact that he can't legally share the fact that he can't legally share? Etc.

That is definitely one way to move forward. Perhaps we need a Kickstarter for it? However, any such effort will also require trust. We need to know that the right people are doing it and more right people are verifying they are doing the right thing.

Another possibility I have considered is creating a 'packaged' secure mail server that anyone could host themselves. Maybe the US government can strong-arm companies into letting them monitor email traffic, but can they do the same to individuals?

If an end to end encryption protocol COULD be developed, I am on board. I am in Canada, and am not happy that ALL my messages that route through the USA are kept at the NSA. Worse yet, as a foreigner, I have no recourse if the NSA decides that I am a threat and uses "Old" stuff to prosecute me, even though I am innocent. Sadly, I fear it will come to that.

That is the wrong move to make. We don't need to move from one centralization to another. Even if you could find a country that will stand up to the growing global (not just US) police state, they will probably be compromised as well.

What we need to do is work on turning a mans home is his castle into a mans device is is home (and therefor his castle). We need everyone to be running their own webserver, email, and other services on devices they own. And by own I mean in the GNU sense as well as just avoiding "licensing".

Everyone already has a mini-server in their pocket... why not start there. Oh wait, before we can secure that, we need an open GSM stack, open firmware, and open software (I shouldn't need to f'ing find an exploit to root my damn linux based android phone! It goes against everything gnu/linux is supposed to be!)

Of course, a person can be vulnerable (phone stolen, confiscated, etc) so maybe work on everyone having a mini-server at home (rasperry pi?) that the phone tunnels to via ssh might be something to consider. Of course black bag ops and other stuff could be carried out, but it raises the barrier to entry for TPTB. It is the increasing centralization of (proprietary, closed source) services that is destroying the internet.

Yes, I've thought of doing a Kickstarter, however I'm in a country that is under the finger of the US Staatssicherheit. whoever opens the kickstarter should be out of the reach of the storm troopers.

I've toyed with bringing up my own mail server as well. However, in this day and age where no-knock raids happen in the US all the time (in Canada too), I'd prefer to have a mail server in a more civilized country. I'd rather not to be shot full of holes by a hyped up gorilla storm trooper over an email server.

So, where is this going to lead? A infosec arms race? When will all those who object to what's going on unite and act? Government is a public service, accountable to the electorate. When is it time to hold them accountable for transgressions? If the time is now, how does one go about it?

I agree with the idea of decentralization wholeheartedly. However as I said in my previous post. There are compelling reasons to keeping your data in a separate location than where you live. Physical security concerns are becoming more important world wide.

There are some ideas I've had on how we could separate the data storage (secure second site) vs the encryption key (stored local). The secure plugin for firefox that allowed people to keep google docs encrypted (from google's perspective) while only storing the key locally and manipulating them should be an inspiration.

@Steve

I completely agree with you on the Bill of Rights. Many Americans served in various government positions, military and not. Those people took an oath to the constitution, quite a few of those meant it, and they don't intend to allow this to go the way of the GDR.

I was thinking more along the lines of 'thousand points of light' with the personal email server. They don't have the budget to storm everyone's house and forcibly install monitoring software. In fact they would have a difficult time just doing it to the tens of thousands of servers on racks in ISPs around the country. The fact they can focus on a few companies is the only thing that makes it possible right now, from a budgetary standpoint.

Carpe;

That is along the lines of what I was thinking. Maybe we could even get the servers cheap enough that people could afford to take them places with open wifi (libraries, coffee shops, etc.) and leave them plugged in somewhere inconspicuous? It wouldn't be a perfect system, but it would increase the cost of tracking and monitoring to the point it might break the system. (See above.)

I could be wrong, but as far as I know, if you run a mail server on a dynamic IP address, mail will not be relayed to/from that IP (if I'm wrong, please let me know as I've tried to do this for a while). We're left with a) Get a business account with your carrier ($$) and pay extra for static IP. b) Get datacenter space and host your own server. c) Get a VPS and trust that the instances are not visible to the hosting provider. There's no "easy" alternative the public at large will go for, all these are solutions for us nerds.

I would not be surprised if someone had already developed a very valid alternative to SMTP that is truly secure. The problem would be adoption.

As Jack says, it all boils down to trust, and right now there's no trust at all in governments or corporations. Also, iRedMail seems to be what you're looking for when it comes to an open source mail package, I literally set it up in less than 30 minutes running one script. Mind-blowing.
Anyway absolutely love the blog and makes me feel at home.

I'm not getting it. What Ladar Levison did is to fire himself. In what way would it be different from Larry Page getting fired ? If he shut down Google, he'd already have essentially fired himself by the very act. So why would it be any different, save for scale issues ? I could maybe see lawsuits in a country where, amusingly, people try to use the might of the state to their own ends every minute, but that's not what was said. Page and Levison could both shutdown Google and Lavabit, and would be out of a job in the same way.

I like your hidden server idea. It's brilliant. We could load it on re-purposed smart phones I suppose. That begs another question: How many email servers support encrypted SMTP server to server connections (forced), obviously PGP isn't a problem. If NSA can sniff the wire, everything, even plaintext email needs to be encrypted in transit.

1) set up a GNU/Linux server
2) encrypt the disks
3) set up email, etc... on it
4) host the whole thing in a data center somewhere

The defense against a warrant is the encryption...if they take it, they can't get into it without the keys. Heck, I've gone so far as to wonder what would happen if I encrypted the disks then destroyed my copies of the keys. Sure, if it ever rebooted I'd loose the stuff...but then I couldn't be forced to do something I couldn't do.

I had also considered bringing up a data center somewhere that was highly secured, and if any tampering or unauthorized access occurred to the data center, all systems and servers would zeroize (autowipe memory).

You could use the same method on Jack William Bell's "Thousand Points of Light" idea. If it's tampered with, it zeroizes memory. DMA access is the mind killer.

The only solution is a secure messaging service with a distributed network. That can't be taken down and can't be controlled by the government. I'm building such a messaging service with two friends. http://www.hisser.eu/ or @hisser_chat.

EVERYONE who receives a National Security letter forbidding them to disclose its existence should have one-tenth the guts that Snowden did by publicly posting it and sending it to the press. If everyone teamed up and did this -- Zuckerberg, Brin/Page/Schmidt, Ballmer, Cook, Ellison, Mayer, Levison -- then that would be the end of this odious practice. The feds aren't going to put Mark Zuckerberg or Steve Ballmer in prison.

This is why Webmail is exactly the wrong place to do email encryption. There's just too much pressure on email providers to offer a means for law enforcement to disable encryption, which is a trivial matter for those who control the development and distribution (including updates) of the encryption routines.

Encryption and decryption of online content should be handled by client software that is developed and distributed independently of the service provider. That way the service provider has no way to decrypt any documents stored or distributed through their network.

(1) Keys. Encryption at the end-points requires the use and sharing of public/private keypairs. This means you have to have some way of getting someone's public key before you email them. This leads to (2)…

(2) Not everyone will have the required software, have it set up correctly, have a way to send their public keys out, and know that their installation of the tools and use of them is correct and secure. This is the kind of solution that only works for everyone if EVERYONE is on the same page.

(3) It doesn't stop the NSA from snooping metadata on the email. Even if they can't read the body they know who sent it, who got it, what path it took, and more.

That said, public/private keypairs are a good answer for those willing to put in the work when corresponding with others also willing to put in the work and willing to accept the problems in (3).

I think what Lavabit and SilentMail did wasn't the right choice. They should have just told their customers that LEO's/TLA's could acquire their messages under federal law. They would still be protecting their customers from...

Dare I say that most private email users' main online threats are not NSA and FBI. Those in 1-4 cause the vast majority of email problems in this country. Without a private mail service, users are at a huge risk across the board. With a private service + govt snooping, users are still protected from 1-4. The next, ideal level is a service nobody can snoop on. I dare someone to name a COTS secure mail service that can prove no subversion. "Don't worry I'll wait." (Katt Williams) So, services like Lavabit benefit in many ways, never could prove security against LEO's/TLA's.

A customer speaks

A user of one private service emailed me this comment: "Sure, the govt or Hush might be able to snoop. That's better than everyone in between me and the recipient being able to mess with the message. And Yahoo selling my information. And Google searching the text of my email for marketing. And who knows what. I'd rather narrow it down to two worries instead of dozens." My point exactly.

But the TLA's might get the customers...

So, these groups are shutting down because LEO's/TLA's hunting targets in the mail operators' own country might legally force operators to comply with their investigations? Are they kidding me!? Companies regularly inform customers they will cooperate with legal requests for information. Read: they won't do prison time for us. We (security community) always assumed and warned LEO/TLA opponents could bypass protections of COTS security offerings if they target you. Against these, Lavabit-style services alone aren't secure and never were. Snowden revelations changed nothing about our model except the domestic TLA net is wider, stealthier and easier to cast. Cynics among us assumed that would happen, too.

The Sad Conclusion

All that's resulted is two services that can protect users from many real threats have shut down over a situation that affects all companies and many users didn't care about anyway. I think it's a disservice to the present and future users of private email. It would be better to continue protecting them the non-LEO/TLA threats while leaving a prominent warning that LEO's and intelligence agencies in a country can legally obtain personal information from companies in their country regardless of those companies' promises/claims. Then, the customers could use these services as a baseline and simply not trust them for work opposing the local govt.

In this alternative reality, Lavabit still functions and it's customers say: "Good think I haven't been pissing off FBI or NSA lately. At least the service takes care of (long list of email security problems that make people's hair fall out). Totally worth it!"

Note: I see one objection coming that the owner did it for reasons of personal principles. In that case, I certainly applaud the owner standing up for principles. Yet, I can still say the end result of this principle (a) has little negative effect on the LEO's/TLA's and (b) has a hugely negative effect on the customer base. Such a negative outcome on ITSEC or privacy logically means that the decision was bad from those perspectives. The real world is messy: making practical progress in ITSEC often involves making tough tradeoffs in morality, deployment strategies, legacy compatibility, and so on.

However, considering your statement: "So, these groups are shutting down because LEO's/TLA's hunting targets in the mail operators' own country might legally force operators to comply with their investigations?".

This may not apply to Ladar Levison. My interpretation is that he shuttered the service over objections to complying with illegal requests from the US Gov't.

You know, I've heard that bar owners often incorporate with a limited amount of assets in the bar's name. That way, when they get sued, the owner can walk away and open up another under another corporation.

I wonder if the same strategy would work here. Lavabit2 has never received an NSA request ;-)

@B.S.
" Could you imagine what would happen if Mark Zuckerberg or Larry Page decided to shut down Facebook or Google rather than answer National Security Letters?"

Heh! Reading my mind. Early this morning I was considering the relative tensions - USG vs *public* company; USG vs *private* company - after reading about the fate of Lavabit. However, Verizon - not Facebook or Google - was at the center of my gedanken experiment. I imagined Verizon suddenly growing a pair, responding to an NSL to the tune of, "Enough, already! Go pound salt! We're outta here.". In one fell swoop, mebbe a third of NSA's bits spring dries up. (Yeah, I would then be without phone and internet. Democracy is messy.)

Today I contacted my service provider, the one that provides domain, hosting, and e-mail services about their policies with respect to procurement standards and disclosure. For example, does the company support a DFAR or ISO based standard with respect to services offered? Is the content located in the country where my business operates (laws regarding data management/retention and disclosure)?

Why is this exercise necessary--because some ass-hole in gobnit decided it was a good idea to subvert the communications infrastructure without care or due consideration as to the impact on business. We are a small company and can hardly afford to raise the bar necessary to protect our business properties. We are a U.S. company and are afforded some regulatory relief from the over-reach of government on commerce. If there was every a case for a class action lawsuit..."The business and employees of the United States versus the United States of American, Federal Government Agencies)

Okay, maybe not a winner but there is significant and real harm...this is about everyone at somelevel taking in the sphincter to satisify some out of control security state apparatus...I blame Darth Vader...

@Phillip: "Then everyone's got to use it or else it won't work." Microsoft, Apple, Google, Yahoo, Facebook - have no incentive to provide clients that support truly secure email. Even aside from enabling a work around from government spying, it's also totally incompatible with their business models which depend on data mining emails (except maybe Apple). Even PGP encrypted gmail with headers intact makes gmail/yahoo/outlook completely unusable, even to the end user, because now the top feature no longer works: searching one's own email.

Government mail isn't secure either. I think we need to give up on email ever being anything other than what it is today and invent something else.

I don't know about silent circle, I think they are trying to go out in style. Why shutter a rapidly growing business just in case? I imagine it has more to do with recent vulnerabilities found in their product, and lack of customers. Spreading the FUD.

I'm a civil liberties proponent so feel free. I'm criticizing one guy's idea in a public forum. Someone else criticize mine. Just how free speech and peer review work. A Good Thing. ;)

"Why would the TLA/ LEO not contain people belonging one of the first 3 groups you say Lavabit protects its users from."

"And what about the security breaches due to taps introduced by the TLA/ LEO?"

These are the kind of concerns that seem to not happen enough or do enough damage in practice to be a worry. I've seen many claim the 2nd point, often citing the backdoor used in Greece. However, it's easy enough for company's administrators to retrieve files or target a specific (logged in) user without huge security problems. That we have hardly seen any attack indicates that either (a) the attackers have God-like stealth/OPSEC or (b) this is a rare/tiny problem.

"Lastly this is a much stronger message that customers will pay attention to. Unlike a small update to a click thru TOS update."

The "customers"... won't exist after this action. They will go from customers of the private email service to people without one. And presumably loose anything stored in the email service. And they're too small a demographic to affect much politically. So, probability says nothing will change from this action except the customers loosing out.

Now, a whole bunch of people must find another option 2 or be stuck with security/privacy woes of option 1. I feel certain that, for most users/customers, being stuck with option 1 is worse than option 2 + govt snooping. And, btw, govt snooping is still in option 1. It's a constant issue for domestic providers. And offshore providers can be bad guys in disguise. (Have been, on occasion.)

So, Lavabit and SilentMail provided benefits over regular email services with no worse govt-related risks than average. Now, those benefits are taken away with nothing given in their place for the customers who still need protected email. Also, two less players in that market keeping it competitive. The above made me call it A Bad Thing for [former] customers.

@ dbCooper

"This may not apply to Ladar Levison. My interpretation is that he shuttered the service over objections to complying with illegal requests from the US Gov't."

I agree that this seems to be the case. I also have nothing to say about him personally except for he seems principle driven on the issue. I worded it the way I did because, far as I can tell, there's nothing illegal about what they're doing. Admittedly we don't know specifics of the case. It just sounds like NSL's, "lawful intercepts," and their ilk we've heard before. So, I assume he was confronted with that (maybe something worse) as I make the next point.

US lawmakers, on their own or from public pressure, can reign this activity in. Instead, they've given more power/funding to it for around ten years straight. Public is divided, but many support it for our "safety." Most federal court rulings maintained or expanded that. For practical purposes, it seems to all be legal.

So, although I hate it, it's the reality for someone running an American company. One simply doesn't keep their company running in the U.S. over the long term telling our government's most powerful organizations to f*** off over [apparently] legal activity. Unless the defendant is a company like Goldman Sachs. ;)

They won't put Zuckerberg or Ballmer in prison for THAT, but they'll put them in prison for insider trading or whatever they can scrounge up. On top of that they'll deny any company that disagrees with them government contracts (the denial of government contracts can actually lead to "insider trading", see below). And, in the very best case, shareholders can fire them for acting of their own free accord - Z and B don't OWN F and M. They are merely executive officers.

NSA are obliterating their info weapon by being cyberkleptomanics. I am thinking, why do we have to rebuild the whole infrastructure, (yes it can and will be done now), to keep NSA out of the loop, just because some moron knowing nothing has too much power? I am too tired for this... Here is the first effort already in the works in Germany. http://www.n24.de/n24/Nachrichten/Netzwelt/d/3318230/gemeinsam-gegen-die-nsa-.html
USA is loosing uncountable millions and also lots of good will on this. Rightly so!

There are some promising contenders out there, esp in usability. That always held secure email solutions back. I think a secure messaging offering is a better idea than purely email offering. If designed right, even email can be run through it security-enhancing proxies/gateways.

Regardless, I hope these companies keep at it improving the security and usability of their products. They'll be alright if they put as much effort into quality as I've seen them put into marketing: "NSA proof your communications," "military grade encryption," "ironclad","bulletproof," "we only comply with court orders, we promise", etc. ;)

We started running a closed family IMAP encrypted server here in 2008 from a dynamic IP with Dyndns. It works pretty well, but I've never been able to solve the certificate/authentication problem to my satisfaction :(

But even if I did pony up those big bux to our ISP for a static connection and a real certificate - don't know if any of those certificate authorities could be trusted either. Too easy for them to sell out to the government.....

So right now we're just relying on the fact we're to small for the feds to notice or bother with. I don't like this. It's time for *all* citizens to have the means to stick any intruder in the eye - even governments. Authentication systems and encryption systems *should* now be beyond reproach - only they aren't.

I would go farther than he did. And in fact would have before this. You shouldn't trust sensitive data to a third part. Period. We've known at least since hushmail that US host-based encryption schemes aren't safe from the US government, but even without this it's only because the US has gone through legal ,eans (even if we don't like it) to bypass security. Does anybody really believe a major nation state couldn't get somebody inside one of these firms to release a custom version of the app that sends a particular individuals key back with their data?

I would have thought this will deal a huge blow to US-based cloud services. What non-US company in their right mind would entrust their data to anyone in the US knowing that there is a huge back door to it from the NSA and other US government agencies. I would expect a rush to move data out of the US - that's what I'll be doing with my Amazon S3 data. A large part of the US economy will suffer because the NSA has ensured that the US can't be trusted.

Another aspect - how does the NSA guarantee that the snooping technology they develop remains restricted to US government agencies only? They can't. The fact it exists, developed with huge US government funding, means it must inevitably leak to the dark side, enabling even more access by organised crime and disorganised hackers. This is what the NSA are enabling, by developing the technology and by squashing attempts to counter it by developing better standards.

I applaud the efforts that people like Bruce and the EFF are making. It might be too late, but we have to keep trying anyway.

#1, if the FEDs can spy on all comms, they can steal all I.P., doesn't that make everyone not want to do research and not work towards new scientific advances?

I'm loving all the collaboration here, keep it up! My contributions would come w/ the secure hardware, the secure software/compilers will be your responsibility! ;) The next step needs to be a physical meeting and I can help identify some local FEDs if need be (which I will "politely" ask to F*** off); hopefully others can identify other local FEDs and keep these f*cks out of our secure trustworthy network. Current networks are way too untrustworthy to trust exchanging keys, I'm sorry this is reality. I won't accept anything beyond secure physical key exchanges. But the reality is that is the group is any larger than 15-20 people I would have serious reservations about it being compromised. So all small groups doing their own intel work and creating their own unique networks and systems. Mesh networks haven't been talked about here, get out of the wires and in the air and force further work. I can trust the minds of nerds to turn this fight into a fruitless endeavor.

All the naive people who haven't been targeted by TLA's and LEO's, relying on a warrant is fluff security. You need real physical security, which involves not only many types of sensors but an extremely hardened "one-way-in one-way-out" entry point that is manned by at least 1-2 loyal guards or extreme physical barriers/deterrents. No-Knock warrants at least broadcast compromise, you don't know how sneaky these mother####'s are; they wait until you leave. This is their job, they have a worthless job of sneaking around civilian's houses and not only bugging their houses but compromising their networks and your comms electronics; and they do it at the cable level in your face!

To make some real progress here, people are going to have to reveal their physical locations, and people who can verify they aren't FEDs will need to be present. Therefore we (us nerds who can see the future) can verify the group and beat the FEDs.

Otherwise the FEDs win by making us all so untrustworthy that I can't even leave my house w/o thinking "I'm compromised".

Nick P
--I know we have a weird off-and-on relationship and that you have hacked me to death and I have inserted some goodies in your system as a payback; but I'm really disappointed in how you're just giving up. You seemed like someone who we could've really built a secure platform on and taken this to the next level of physical security if these f**kers try to gain access at any hour of the day. Granted I understand the nature of the threat but I would've thought that eventually or deep down you have this extreme hatred of those that compromise you w/ force.

You know the more technical capability is killed, the worse off we all become, so if these morons want to push it to that level they will get what they deserve.

These closures surely bring great (truthful) joy to James Clapper's heart. The chilling effect of surveillance is apparently making smaller companies go away while making individuals "think twice about what they say." Logistically, consolidating the Internet into a relatively few companies who make the proper "Heil Obama" salute and actively help the security apparatus fish for data makes things much easier.

Bush seems to have inadvertently dropped a hint about the strategy for fighting the Global War on Terror when he remarked that terrorists "hate our freedom." By preemptively removing our freedoms, he and Obama are giving Al-Qaeda fewer reasons to attack us. That helps to keep the Homeland secure. Clapper certainly believes that a free and open society is unacceptably vulnerable to terrorist attack. And he can be proud of the success the Bush and Obama administrations have had in eliminating that vulnerability.

Nick P
--*Correction*, just some of your systems (the gaming ones and ones you don't care about). I do want access to the ones you've been working on for so long. Sorry can't lie I want physical access to those; I'm a gentle person most of the time. I won't though, b/c I assume you're a little ahead of me and will sense and murder me if I try. I'll get there though if I don't get murdered.

I'm thinking this. Why not resurrect a modified fido protocol? You can get free or very cheap virtual linux boxes in a cloud provider, run your mail server on a random periodic basis and then shut them down for most of the day. For the short time your machine is up and identifiable, it stores and forwards.

The real story here is the chilling effect not just to govt workers with access to information (Manning, Snowden) but also to small biz. Big biz will naturally fall in line, for reasons Mr Schneier made clear (they have boards & shareholders to answer to, not to mention complicity might be lucrative).

Technology isn't the problem or the solution here. The issue and the remedy is political.

We need our peers who are non-savvy regarding both tech and civil freedoms to "get it" with regard to the problem at hand, and not forget that this is and has been an issue for years, namely since 9/11.

If or when people and companies look to do business elsewhere than the US, the power of the purse will compel lawmakers and business leaders alike to make civil liberties a "cool" thing to talk about openly. It would help if lawmakers in other countries included regulatory statues that forbid storing personal data on servers in countries that don't have similar privacy protection laws, or that fail to safeguard them in practice. That would get the attention of Big Gov and Big Corp alike.

Let's take some accountability as well. For Americans who are reading this, these are the values we voted for and the people we chose to represent us. We collectively want a guarantor of our safety on all matters, and the govt at various levels has responded accordingly.

1) set up a GNU/Linux server
2) encrypt the disks
3) set up email, etc... on it
4) host the whole thing in a data center somewhere

The defense against a warrant is the encryption...

That would be the triumph of optimism over experience. :(

You better hope the raid comes when those server have been shutdown and had power removed for some time - and than no one ever gets access to /boot, or any part of the running system - and all your hardware is fully audited.

NOTE: it used to be part of the entrance test for the AFP's Computer Crime unit to grab data from a running server (hint - to run it has to decrypt).

In 1994, anonymizing mail server Penet (anon.penet.fi) was "compromised" to an unspecified extent by unspecified attackers. Although its operator publicly announced the fact, he stayed in business. Then in 1996, Penet's owner responded to a Secret Police demand for the "anonymous" mail server's records by wiping them (he said, and might have done), and closing the service down once and for all (he did that for sure).

Lesson learned: An anonymizing service with a single point of failure that requires its users to "trust" the provider is not reliably anonymous. That's why distributed mix networks, where there are no trusted parties or single points of failure, were invented. You have to trust something sometime; in this case, you have to trust well known, widely analyzed and attacked ciphers deployed in Free Software with its full source available for public inspection. That's not a perfect solution, but nothing is and this one has worked reliably for nearly two decades, against the combined resources of every major intelligence service in the world. Edward Snowden summed it up in one of his rare press statements: "Crypto works."

So why did Lavabit ever exist in the first place? Apparently because its founder saw a market demand and decided to capitalize on it, either not aware of or willfully ignoring the lessons of history. Lavabit deployed a known failed security model in support of a known failed business model, and failed. Now its founder, and even the Electronic Frontiers Foundation are both all, "Those big meanies done a Bad Thing, sniff sniff." The big meanies in question will always be there, as public Agencies or private criminals. Selling their victims styrofoam bats to fight back with is, in a word, dishonest.

Meanwhile, when we need real anonymous mail service, it's free for the taking. Options include Quicksilver, a Mixmaster Remailer front-end for Windoze; Mixmaster and/or Mixminion for the UNIX family of operating systems; or you can use TOR to set up and use a "regular" webmail account without disclosing your identity - with the advantage of two-way communication. These options rely on open source crypto tools and zero-knowledge protocols, not the kindness of strangers who can be bribed or blackmailed, to keep your A/S/L and True Name out of the hands of hostile parties. I like that.

A small step in the right direction might be a new httpe:// standard (e for encrypted rather than s for secure) -- the key for an httpe server is not authorized by any certificate authority; the goal is not to ensure the corporate identity of the server owner, it's to increase the 'crypted traffic online. A browser connecting to an httpe server would first set up an end-to-end link, THEN request a specific page. The Apache and Mozilla organizations have enough combined moxie to make this a reality in ~6 months if they both agree to make it standard and enabled in their next releases.

Downsides: man-in-the-middle attack, guessing what page has been retrieved based on the volume of encrypted traffic.

So here's the elephant in the room with all of this (though WS touched on it): how much can we trust the ssh connections we make to all of these services? There have already been cases where root certs have been compromised; do we honestly think the NSA isn't stealing or strong-arming access to those certificates that come pre-loaded in every browser?

And what's the solution? Just give up on silent connections and inspect the keys every time? Have the EFF set up its own cert chain?

And Hugo, asymmetric keys aren't wide spread because a lot of people don't understand how and why they work, others don't understand why they're needed, and no one has managed a simple work flow that will be manageable for the vast majority of the computer users in the world.

Why would ssh be affected by govts getting access to root certs preinstalled in browsers? Just generate your own...

Silent Circle says the following about email but I'm not entirely convinced about the last sentence (except for the part about metadata)...

" Silent Mail has thus always been
something of a quandary for us.
Email that uses standard Internet
protocols cannot have the same
security guarantees that real-time
communications has. There are far
too many leaks of information and
metadata intrinsically in the email
protocols themselves. Email as we
know it with SMTP, POP3, and IMAP
cannot be secure. "

But we do have a P2P open source alternative in BitMessage are asking for help in the form of security audits. Bruce???

Re the idea of having a personal encrypted email server stored in data-center somewhere so that you dont have to worry about the issues that would go with having the server at your house (i.e. the issues that go with running a mail server on a home internet connection), here are ways to make the server harder to attack in this way:
1.All data on the machines disk is encrypted using full-disk-encryption with the only copies of the keys for the encryption being stored in a TPM or similar. The keys would be keys created by the server owner and then destroyed after loading the keys into the TPM. This prevents attacks that involve pulling the disk from the machine and imaging it for analysis offline. (since its impossible to get the disk keys even from memory in a running machine)

2.All software running on the system (from the bootloader on up) would be digitally signed and verified by keys held only by the owner. The public half would go into a secure-boot style system that would verify every piece of software before it runs and the private half would be held only by the owner. This prevents attacks involving the running of forensic software on a live running system or rebooting the system to load a forensic boot image.

3.Any login to the server (either by physically connecting a keyboard/display or remote over SSH etc) requires the use of strong keys that are held only by the owner. This prevents any attempts by an attacker to gain physical access to the server to carry out forensic attacks or otherwise gain access (other than the protected SSH interface, only secure interfaces for email and such would be exposed to the world).

4.To ensure that data cant be stolen using hardware attacks (such as the attacks that can read the contents of RAM after a reboot) any attempts to physically access the hardware (by opening the case or whatever) will cause all sensitive data such as the hard disk encryption keys to be erased.

These measures (if done correctly) should render the data on the server unreadable even using the best computer forensic techniques the feds can throw at it.

This obviously is on top of network-level encryption to prevent taps on the network links (including cases where the ISP/host is ordered to feed all data for into a secret box for later analysis)

It's just mind-boggling how fucked up Murca has become over the last 20 years. And, more specifically, in the last 10.

All you freedoms gone because you all succumbed to fear and want a war on terror that you can't win and that can never ever ever (ever) take more lives than gun violence. And you still hang on to your dated constitution as the way to run a society.

The IRS and ATF are dysfunctional. The CIA and NSA have always been too, but now they have practically infinite power. A congress that is impotent. A country that is run by lobbyists.

It's a true banana republic.

I watch with great glee the decline of Murca. Not only because I'm a fan of schadenfreude but mostly because it has so much influence on the rest of the world but takes it's responsibility childishly or not at all.

Lavabit and Silent Sircle are probably my two biggest competitors, as "Gith" offers a similar service (end to end encryption, keys owned by customers only).

If I was a real businessman, I should then probably be really happy that they have been forced to stop/pause their activity.
In fact I'm not, because it's really sad and scary : You're simply not allowed to provide real privacy to your customers, even if you're not a "silly dog" like Kim dotcom. You have no way to discuss or argue, if you provide security, you're a terrorist.

In the same way, companies manufacturing knives should only be allowed to create knives that do not cut, because cutting knives could be used by terrorists. Just let your customers think that knives are not supposed to cut.

Actually the servers owned by my company are hosted in France and I was wondering where I should put new instances. Now I know where they would not be !

As soon as my company buy new servers, I'll add a new feature on Gith : let the user choose in which country its data should be stored.

For those who are considering where to place servers, I would start by looking at Europe (not just the EU).

Well over five hundred years of almost continuous war backwards and forwards across borders with the attendent persecution due to archived information etc has caused a small amount of sensitivity to stored data legislation.

Countries I would start looking at are Switzerland, Germany and the Irish Republic (Eire, Southern Ireland).

Each have differing legislative requirments which can be used advantageously by appropriate link and end to end encryption.

However avoid the UK and Nortern Ireland as the likes of RIPA give free reign to any and all traffic that passes directly or indirectly through it's sovreign territory (which is why the Isle of Mann and the Channel islands need to be looked at with care).

As I've said a number of times in the past the actual geo-topology of the "physical layer" matters a great deal.

However you might also want to look at the likes of Cuba, as due to US politics much of it's data went via places like Spain not the US.

One of the tricks that Nick P has mentioned in the past is to use nations that have little or no interaction due to "political differences" in this respect the US has more enemies than many other nations. The reason being they are unlikely to follow up on requests from LEOs and other TLAs from those nations...

For those thinking about comming up with their own systems I realy suggest you scour backwards over this blogs pages as much that you need to know has been discussed here by various people.

Firstly you realy need to consider your "Shannon Channels" and the implications of the end points to security.

Whilst the likes of the NSA realy would prefere to just "sniff off the backbone" it's releativly trivial in comparison to the end points to make it secure beyond their current and projected capabilities. Which means that the FBI/NSA will look at attacking the end points and there is sufficient evidence that they currently do.

But behind the technical end points there are the soft squidgy pink things with around 7lbs of mixed fats looking like a lump of congealed poridge in their heads, these are the real problem with security at the end points, and thus it's here you need to start. If you don't then the game is over befor you start...

One of the biggest flaws of the security of communications is what happens at the distant end point where any information is in effect beyond your control.

That is how do you stop a remote user "forwarding","cut-n-pasting","printing","storing in plain text" etc. If you don't build in the capability to prevent this into your system then you are wasting your time.

Then you have a very major problem to solve and that is "key managment" (KeyMan) of "Keying Materials" (KeyMat). As Bruce has indicated many many years ago it's an open problem that cryptographers and academia have yet to address, and as others have noted "PKI is most definatly not the solution".

Hidden behind these are "traceability" and "audit" and these in turn are secrets in their own right, as the logs involved are more usefull than plaintext and signals analysis as they reveal not just X who has communicated with Y, but also whom might communicate with whom at some point in the future in an active (duplex) or passive (simplex) way.

As I've indicated many times befor KeyMat generation is actually quite difficult due to people not understanding the issues to do with "entropy" or lack thereof in the systems they use. Whilst faux and bad entropy are easy to generate good entropy is not, and recognising the difference by uninformed observation of the output of a generation system is close to impossible in many cases (it's one reason you should not trust the ouput of any system where you cannot measure and continuously test the base input).

Problems with key generating systems are without doubt a happy hunting ground for the likes of the NSA. We have actually seen researchers highlight this when they have "scaned the Internet" for public keys and found that many share common primes which makes factoring out the private key relativly trivial.

And this brings back the issue of "end runs" around security, whilst the NSA might not have factored out your strong PQ pair they might have factored out one of your corespondents weak PQ pair. Thus at the very least they will become privy to one side of the communication, and with the default of most Email apps being to include the original message in a reply, they get both sides of the communication... It also gives "known plain text" to attack other ciphertext communications if either a weak crypto algorithm was used or strong crypto algorithm in inappropriate or weak modes.

I could go on at length about KeyMan/Mat issues but you should have got an idea of just how problematical it can be.

But ignoring human end point issues there are a whole raft of technical issues to deal with.

Some time well prior to Google Chrome becoming known about outside of a select few in Google, I pointed out on this blog that security issues had moved from the OS to the App. I specificaly pointed at web browsers and the fact that they had "common memory" for all open sesions and little or no protection of the memory. Thus it was possible for the code in one session to get access to data in other sessions with a lot lot less effort than trying to do the same at OS level between two processes. Which was why I indicated that a lot of applications realy should use OS level security techniques. Whilst Chrome has improved things a bit for a browser there are still very many other in effect multi-session applications that don't. This makes session to session attacks way way easier than process to process attacks and thus a fruitfull hunting ground for TLAs and others. Unfortunatly Microsoft with their Browser is the Desktop come top of the OS mind set has caused several generations of application developers to follow this poor design idea and draged in all the attendant attack points.

But there other technical end runs that can be done via shared code libaries above the OS and device drivers etc below the OS. For instance it's fairly easy to write a shim that will intercept the unencrypted plain text on it's way to the screen or from the keyboard (CarrierIQ did this on smartphones). All of these have been seen in malware used to defraud people when using banking applications, and thus we can safely assume that TLAs have such code to examine / copy / utilise for their own ends, if they have not generated their own or purchased "investagative malware" which they have deployed against those they wish to investigate.

I could go on about endpoint security but hopefully you get the idea.

As for actuall communications and crypto, you need to use application level end-end crypto as well as point to point or link level crypto between all nodes. You also need to use Store-Delay-Pad/Fragment-Forward techniques rather than just Forwarding on the links as this helps break the ability of an opponent to do signals analysis. Likewise you should use "bandwidth control" techniques where you send continuous data at a fixed rate along a node-node link.

Also there are issues to do with "re-sending" messges, the simple answer is DON'T. The more complex answer involves changing pading, fragmenting, ordering and keys and is beyond this discussion as it involves knowing precise details of the system and the crypto modes being used.

I am the developer/owner of ThreadThat dot com (a site mentioned in an earlier post). I find this thread interesting reading and just wanted to add my 2 cents worth. There are many "(semi) secure" messaging solutions available - many for free. If there is an absolutely secure email based solution available anywhere, it is unlikely to be free or user-friendly.

When I started TT back in 2008, my goal was to create something for non-technical persons who just wanted an easy means of conducting a conversation via the Internet with the protection of end-to-end encryption (in my case, SSL+server-side encryption). My TOS and FAQ provide complete transparency with respect to court orders and warrants for information on a named TT user. So, users of TT are informed on the site that they cannot use the service to hide from law enforcement or government agencies. Personally, I don't believe there is such a place to hide.

There are significant challenges in creating a secure messaging app targeted at the general public: ease-of-use, privacy protection and trust. When making design choices, I continually had to balance ease-of-use against iron-clad protection. As such, many decline to use TT because the NSA could force me to add a back door and capture what they are sharing via TT. Although I believe this to be improbable, if it did happen, I would shut the site down (assuming that was a legal option).

The trust issue is probably the biggest hurdle. Why should anyone trust that any site is doing what the owners say it is? TT is not an open source solution. This is typically not something my target audience knows enough to care about. Those that do care are obviously more technical (like many who posted on this thread) and they will likely not use TT.

I'm just a developer that had a vision of creating an app that would allow the non-techies of the world to take advantage of encryption to prevent unauthorized access to lawful content they share via the Internet. There are many apps out there to choose from and they all provide varying degrees of usability, privacy and security. There is probably something for everyone depending on their appetite for risk.

Not sure if this was mentioned yet, but one of the things revealed in the Guardian's coverage was that encrypted communications are automatically considered suspect, since the NSA can't "read" it. Once they decide (if they decide) to decrypt it, then it can/must be kept for another 5 years - and the clock starts once it's been decrypted, not when it was first intercepted. So if it sat for 15 years before decrypted, that doesn't count towards the 5 years. Marcy Wheeler (EmptyWheel dot net) has covered this and she did an excellent interview on Scott Horton's radio show several weeks back. You can find it in the archives on his site (scotthorton dot org). I'm not suggesting encryption is pointless, and I also acknowledge that there are supposed "minimization" tools in place to ensure domestic communications are not "collected" without warrant. But I am also well aware that "collected" as defined by the NSA means when/if they decide to analyze (read) the communication. Gathering and storing is not collecting. Up is down and in is out. And most importantly, and personally, I don't have much confidence that the NSA follows any of the guidelines it supposedly has. I suspect it is much more of a free for all, one we may never get a full glimpse of.

@Jessica raises a good point about cryptography: Encryption does not prevent an adversary from recovering the content of a message or file; it delays an adversary from recovering the content of a message or file. If the delay is long enough, it will serve the intended security purpose and, indeed, the adversary might not even bother to recover the key. But as always, there is no such thing as absolute security - and the great convenience of modern ciphers comes with a price tag in reduced security vs., for example, a one-time pad or message transmission via a quantum encoded bitstream.

As Moore's Law keeps on trucking, the cost of recovering the key for an encrypted message via brute force search declines exponentially over time: A cipher + key that will withstand analysis by a "Jupiter sized computer using all the energy of a star, until the heat death of the Universe" today, might perhaps be cracked in an hour by a common solar-powered wristwatch 100 years from now. That's why we like very large numbers; keyspaces measured in Sagans (= "Billions and Billions"), not millions of combinations.

"Future security" is a very special problem with PKI ciphers whose security is based on the difficulty of factoring the sum of two large prime numbers; it is widely believed that a true quantum computer of useful size could solve this problem trivially. If/When this happens, not only does the PKI infrastructure of today's network security tools come crashing down, formerly secure encrypted messages in storage will also become readable: Initially, only messages that are "of interest" will be decrypted, but eventually everything in storage will become available for bulk analysis by data mining tools.

All the 'net is a stage, and all the men and women merely players... so whatever you are using crypto tools and secure protocols for today, make sure that it counts. Because tomorrow, it will be on public display.

"I know we have a weird off-and-on relationship and that you have hacked me to death and I have inserted some goodies in your system as a payback; "

Off-and-on in discussions maybe. Hacking you or many other people on this blog would also require (for practical reasons) hacking the blog itself. Thanks to Bruce and the blog's community, many of my own ideas have been hosted and peer reviewed here for free. Not to mention had an impact due to Bruce's large following. I've also learned plenty from discussions with other readers. It would be quite disrespectful to hack my host or fellow readers. It's also against my personal principles.

This, along with an incorrect description of my devices, means you've been having a hacking war with... someone else entirely. I mean, I keep a minimally secure personal network for the IP's I connect to this blog from. The reasons include "good enough," convenience, deniability as a legal defence just in case I need it, and a certain anti-TLS strategy I have for if they come down on me. That means a sophisticated opponent could own the entire network. If they do, it will be annoying, I might loose some files, and I'll have to clean restore some devices. That's all, though: neither truly private nor professional activity is done via these systems.

Re high assurance secure services & my involvement

"but I'm really disappointed in how you're just giving up. You seemed like someone who we could've really built a secure platform on and taken this to the next level of physical security if these f**kers try to gain access at any hour of the day. Granted I understand the nature of the threat but I would've thought that eventually or deep down you have this extreme hatred of those that compromise you w/ force.

You know the more technical capability is killed, the worse off we all become, so if these morons want to push it to that level they will get what they deserve."

I appreciate the complement. I'm currently in a weakened state w.r.t. pulling off a huge high assurance project's development and deployment. I've been studying these people (and was fighting them) for over a decade. I'm fully aware of the amount of influence at each government level, along with their capabilities. Beating them will take a massive resistance by the American people or a private group outspending every other private group at the Congressional/Presidential bribery, err "lobbying," levels. There would be blood, too, as status quo is defended by force when they feel *really* threatened.

The public would have to be reached via the mainstream media most watch and somehow made to understand the situation. People would also need to be willing to loose everything when the system collapses before a rebuild (esp if US Dollar collapses). None of these status quo defeating scenarios are likely. The most likely scenario is the system keeps chugging on bandaging its wounds, denying its corruption, and stifling its competition. This is the case with legacy systems in general, which ours is one. It might collapse on its own eventually, achieve its pseudo-fascist goals or spawn a revolution. Meanwhile, it will continue to maintain its control over the public.

Far as technical contributions, I'm still working on stuff. I posted an update of the cutting edge a while back on this blog. (It was a pastebin link.) A detailed list of promising tech and strategies I have planned for near future. Quite secure setups for anonymity, secure comms, authorization, signatures, etc. are doable with existing knowledge and tech. They would cost more in acquisition and maintenance, along with horrible usability/efficiency. The FOSS crowd lacks the knowledge and expertise for most of this, at least for now. Best effort would combine academics, private developers/companies, OSS components (w/ FOSS development & peer review), and independent reviewers with similar skills from many competing countries. Each deployed instance would also be tweaked for diversity/obfuscation reasons.

It would cost over ten million for a general purpose platform or a few hundred K to a few Mil for each specific system/service. Development/review time would be years, with significant changes taking several quarters to pull off. That's out of my resource limits right now and demand is *very* low: most users of even security tech don't want to make the tradeoffs. They vote against them in the market every year. So, I'm not actively trying to make a real product right now, but I haven't quit. I'm just researching, evangelizing, designing, improving, and most important... waiting for The People to demand The Secure Thing. When they do, I'll support the effort if they'll have me in it. Meanwhile, I'm waiting, waiting, waiting... (sigh)

People would also need to be willing to loose everything when the system collapses before a rebuild
Nick P
--Yeah, this is the big one. Shouldn't take too long the way the economy continues to function.

Alright, well this particular individual seems to live close to you; so I'll take your word for it. Whoever it is also bricked my mom's pc bigtime and I haven't figured out what they did. This individual also claimed to have lots of tools and illegal software; well they also have my nasty creation too, deep somewhere.

I didn't click on your link b/c I've noticed at least 2 redirects from your youtube links, right after you mentioned messing around w/ youtube. Plus the URLs changed on other ones from you. If that was you or someone else, I need to find out.

As more people get raided and served by the NSA/FBI, the demand will come. Or people will just have to make tiny side systems for private comms. I too obviously don't have the resources nor all the skills I want to be a big contributor towards such a project. I don't have a lot of hope either but I can't give up.

" Whoever it is also bricked my mom's pc bigtime and I haven't figured out what they did."

Sorry to hear that. I know it's annoying.

"I didn't click on your link b/c I've noticed at least 2 redirects from your youtube links, right after you mentioned messing around w/ youtube. Plus the URLs changed on other ones from you. If that was you or someone else, I need to find out."

Redirects on known good links (these are AFAIK) means you're experiencing a MITM attack. Today's script kiddies usually use malware kits on the user's machine. Attacks at DNS or home router level is another possibility. I wish you luck.

" Or people will just have to make tiny side systems for private comms."

I see this being most likely. People will trust the computers less and less. The foreign insurgents already give us a clue as to how it might go down. They're mainly low tech about things using drops, trusted intermediaries, etc. Beating that takes HUMINT and traffic analysis, only one of which US is good at. If there's a tech solution, it will start in a country like Iceland that's committed to the core to privacy of data.

Just as TOR doesn't need central servers, I would be thinking along the lines of hash-based addressing of communication, but combined with private/public-key encryption, so that only receiver and sender can read the messages.

If one (group of people) would combine that with a wifi mesh-network of mobile phones, forming a network together, then communication would be possible without even switching on the GSM antenna of the phone. Hence without the ISP's getting any metadata.

It is my understanding that a distributed and tracker-less tor-like network is possible, so why not apply such technique to inter-person communication?

It would be nice if that would work while being motivated by the NSA abuse. That would make them scratch their head a bit about 'beating the purpose' of their curiosity.

Countries I would start looking at are Switzerland, Germany and the Irish Republic ...

I wouldn't bet too much on the Irish Republic either, as made clear by a statement of the Office of the Data Protection Commissioner last month, and in which they saw no problem whatsoever with companies like Apple and Facebook transfering personal data from Ireland to the US ( http://www.siliconrepublic.com/strategy/item/33603-apple-and-facebook-not-brea ). Many - if not most - US tech companies for fiscal reasons have their European headquarters in Ireland. Any of those under PA Section 215/FISA Section 702 collaborating with the USG/NSA will clearly not be stopped from doing so as the fragile Irish economy can't afford to see them leave.

It might of course be different if the company your trusting your data/communications with is entirely Irish and has no ties to the US whatsoever, for which you would need to examine who the shareholders are. The same goes for countries like Germany and Austria whose secret services according to Der Spiegel and other German media outlets seem to be having exceptionally strong working relationships with the NSA.

I would actually recommend to stay away from any EU country until such a time that the European Council/Parliament not only revoke the Safe Harbour certification of all US companies involved in Prism, but also passes the reforms to the EU Data Protection Directive (Directive 95/46/EC) including those parts US government and corporations have so vehemently lobbied against. Unless the UK and Sweden are kicked out of the EU, this is unlikely to happen. This, for all practical purposes in Europe leaves countries like Switzerland, Iceland and Norway only.

Switzerland has a long history of privacy/anonimity protection for rich people bringing in their money, but their banking secrecy has been under heavy fire lately. They may wish to start looking at new strategies to bring in business, in the process putting to good use their vast experience with the subject matter. Despite recently voting back in office the political parties that bankrupted the country, Iceland has an excellent track record on human rights, privacy and free speech issues.

- Way back, they granted Bobby Fisher citizenship when nobody else wanted him.
- They kicked out the FBI investigating Assange.
- MP Birgitta Jonsdottir, a die-hard Manning supporter and very vocal human rights and free speech activist, came under investigation by the US for her alledged involvement in Wikileaks.
- They recently put online Ljost.is, a platform allowing Icelandic citizens to send information proving abuse or corruption safely and anonymously ( http://kcreny64ndjwsyu2.onion )
- Home to Mailpile, a works in progress that has Smári McCarthy, the director of the International Modern Media Institute on board and which may provide a valid alternative to Lavabit/Silent Mail. (this is not an endorsement)
- Kim Dotcom is considering moving his Mega services to Iceland.

@ Winter

Is Tor Mail still up (I can't reach it at the moment).

I believe it was hosted by Freedom Hosting. They got raided by the feds. Consider it fully compromised, even when it comes back up.

And how about the Email Made in Germany encrypted email?

Very commendable that a number of German ISP's have finally decided to catch up with the rest of the world already doing this, but what it does is nothing more than the digital equivalent of wrapping an envelope around a post card. It's mostly a PR initiative tricking non-technical users into a false sense of security.

@ bcs

Has anyone filed a a FOIA request? (I've no clue how to do that or I'd consider doing it myself.)

You may wish to talk to Chris Soghoian (@csoghoian) of the ACLU. He's an expert on FOIA requests.

@ Matt S

As such, many decline to use TT because the NSA could force me to add a back door ... Although I believe this to be improbable, if it did happen, I would shut the site down (assuming that was a legal option).

I do not recommend going about it the same way Levison did. You may instead wish to implement a warrant/NSL canary the way rsync.net does. In addition to a digital signature, they provide a recent news headline as proof that the warrant canary was recently posted as well as mirroring the posting internationally. See http://www.rsync.net/resources/notices/canary.txt for an example.

I started an open source project to build a secure messaging system from scratch about ten years ago. The idea was that all communications go over a single encrypted messaging layer, over a single port, which then supports any different type of messaging protocol, whether mail, im, document sharing, file sharing or other. I thought of it as a framework for modeling and instantiating new social protocols dynamically, and that a distributed "spheres of trust" model with no single point of failure based on a "zero knowledge" authentication architecture was an essential building block for the next level of computing.

It then creates a 3DES encrypted socket, strengthening it by augmenting the shared secret with the result of the SRP dance. My memory is a bit rusty, but my recollection is that SRP is designed to be used in cleartext and is not subject to a MITM, so it's a great basis to create a "zero knowledge" computing layer based on spheres of trust.

In any case, I offer it up in case it's of interest to anyone to explore. It was written in Java a long time ago and the code is crap, but I hope it might provide some inspiration and a blueprint/POC for others.

Funny, when I first read about the Internet, there was one thing the books discussing it were clear on - it had been designed to outlast a limited nuclear attack in which half the infrastructure had been blown away. En otros palabras, a distributed architecture. Damage could be easily routed-around, it could not halt things to any great degree.

Most of the discussion now seems to be about how it is actually a heavily centralized architecture.

Since the big players are generally bought-and-sold by the even bigger players, the governments, the solution must be heavily decentralized. Samizdat - self-publication - is the solution, and like the Soviet prototype, the publishing agencies are us.

A good many of the pieces are already there - there are several free and open source operating systems and application systems; there are at least two different peer-to-peer anonymous forwarder networks-on-IP-backbone out there, and more peer-to-peer distribution systems and the like than I've ever thought to connect to - bittorrent, etc. Plus the mesh network that the One Child One Laptop prototyped.

It boils down to how seriously we take the threat. And how willing we are to resist it.

Can I be educated: my understanding was that Lavabit and similar 'zero knowledge' services like Spider Oak used 'client-side' encryption to make themselves immune to legal coercion - they have no keys. Perhaps that can be compromised by some other method, but, at least in theory, they shouldn't have anything of immediate value to the inquisitors - it's all encrypted.

What could exactly be requested of Lavabit that breaks the whole system and prompts them to commit suicide? Is it just metadata that is of consequence? Is it possible that they are being ordered to bug the client so that it leaks the keys?

Lavabit was not like that. Theirs was a weird system. If memory serves, they encrypted everything "in place" with the user's public key. But to access those emails, then, the Lavabit server retained the private keys and utilized a derivative of the users login as the passkey to utilize the private keys to decrypt for retransmission to the user. It was "secure" in some ways, but fully dependent on trust of the servers, and it sounds like the government wanted into that chain.

I'm of the view that users with security orientation need to go all in, and not depend on "marketing" gimmick services that promise security they can't deliver when the government is there with a rubber hose.

If you're really serious, that means PGP.

It means PGP decryption and encryption conducted on a dedicated laptop running WDE, with a floppy drive only (all other ports disabled/epoxied), and with NO CONNECTIVITY to the internet, the memory chips epoxied in place, and the machine closed with locktite and sealed with tamper evident tape. It means every email is encrypted twice, once with conventional encryption using a pre-shared secret codebook, and a second time with PKE. It means the floppy goes back and forth from the encryption/decryption box to the net connected box, and the only thing ever on the floppy is encrypted material. (Essentially, this machine if physical security is maintained, would be vulnerable only to Tempest style attacks ... and the hope is that unless you're a "bad guy" you probably won't warrant enough attention to get the van parked across the street).

That's a lot of damn work just to read and write email. I have a friend in a tech business position who actually runs such a set up. He says the problem with MS giving early access to NSA of zero-day exploits, etc., is that NOTHING you do on a net connected machine can be considered secure. He was saying this years ago. I now see his view in a whole new light.

Would it imply that the Silent Circle Mail had the same technical issue of being able to see the keys? To me that would imply that it's an implementation problem, and that it could be fixed. But this is not how Silent Circle justified the bailout - they talk about fundamental problems.

What exactly could they give away if politely asked by a secret court that could be so damaging to the system that it was better to close it down? Was it metadata that were at stake (but that would imply compromising anonymity, not secrecy)? The encrypted email? The keys?

If the system is designed that not much can be given away, can a court order be construed (e.g. under CALEA for example) that would force the service provider to bug the client software and steal customer's keys, in the name of helping an investigation? Has that been ever tried in the courts?

mcjtom: Even if this were true (I think LavaBit actually stored your keys on the server encrypted with some secret, but let's suppose it's true) the NSA could have them update their client (since they control the client) such that some side channel during a session could tell it that this user is a person of interest and I'd like the client program to send back the key with the message.

There are instances where I'm putting data in the cloud, but I'm not concerned with nation-state actors getting at it. If you want kid-sister security (or single-rogue-employee security) lavabit and like-minded services are probably fine. If you want nation-state security you cannot trust a single vendor to deliver an application to you that encrypts the data and sends it back to their servers. Even if the application is open-sourced you're not really going to be verifying that the source code matches the published code and then compiling every time you download it.

If you got the application from one vendor and sent the data to a second you would at least require collusion, which is slightly better but even that could be gotten around by a dedicated nation-state or major trans-national corporation. I think my recommendation at this point is S/MIME with the actual encryption offloaded to a hardware TPM, but whatever solution you come up with is going to be extremely cumbersome and involve trusted systems from the moment you start typing the plaintext until the ciphertext leaves on the wire. As usual the encryption algorithms may be mathematically complex, but they're the easy part.

I dont know about Lavabit, but if my understanding is correct, Silent Mail used a system where crypto was handled and encryption keys managed on a seperate PGP Universal-like server. This kind of approach works well in a corporate context because it takes out the hardship for users. However, the moment you receive a FISC order or NSL, the system is basically toast.

Enlocked and presumably a number of other providers of private mail services are using a similar system of key escrow. In the current state of affairs, all US based companies, including their affiliates abroad, offering such services need to be considered "compromised by design".

@ Nick P

The Sad Conclusion

Although from a practical point of view I agree with you, I believe that Lavabit and Silent Circle in shutting down their services have wanted to make a very strong political statement resonating not only in the security community but also outside of it. If ever there was a good time to do so, it was now. Paradoxically, their shooting themselves in the foot has provided additional ammo for those willing and able to take up the fight on a higher level.

Strikes me as a bit odd that the owner of a private company can make this decision, but the shareholders of a public company cannot, since they would be shielded from obviously material information about operations of their company.

I think Google, for example, could choose to not comply with the national security letters on the grounds that it violates the constitution. They would have the resources to fight these in court. And the government can't shut down Google - that would be unthinkable, they're too big.

Does it make better business sense to be quiet and bend over? Well sure it does. But these companies need to grow a pair. Brin/Page would not "get fired" and neither would Zuckerberg who can't even be fired because he owns more than 50% of Facebook.

These guys just choose the easy way out.

PS: The answer is PGP. It's end to end. Having your stuff on other people's servers is generally not a good idea even if we didn't have a police state. PGP for email and SpiderOak instead of Dropbox.

Do we know what ex-customers of Lavabit/Silent Circle think about it? I understand that there were several hundred thousands of them, and I imagine that majority cared more about not losing their data then about real or expected risks of being snooped on - many people use email as a record keeping device as well. They lost everything at the strike of a CEO's pen, on the altar of righteousness and indignation. Is that OK?

Install ddclient with a script that determines your IP every 5 minutes or so, and ddclient will update your DNS tables through whoever registered your domain name. Also, many ISPs block outgoing AND incoming port 25 (unless you're a static customer), but for ~$20/year you can pay a company for Mail Server Forwarding to re-stamp port 25 traffic as port XXX25, then port forward XXX25 back to port 25 on your own LAN's router. DNS Made Easy and others provide this service.

"Although from a practical point of view I agree with you, I believe that Lavabit and Silent Circle in shutting down their services have wanted to make a very strong political statement resonating not only in the security community but also outside of it. If ever there was a good time to do so, it was now. Paradoxically, their shooting themselves in the foot has provided additional ammo for those willing and able to take up the fight on a higher level."

Maybe. Most of the voters don't care enough to change the situation. That's been true for 10 years. Heck, most have never heard of Lavabit. The big tech industry players have so far gone with the flow. The best chance of a meaningful resistance would be a few of them that are "too big to fail" take action. Maybe it will happen, maybe not. Their main concern is business and NSA is probably seen as a cost of doing business rather than a threat.

The tight media control in this country concerns me too. Any grass roots style effort can be crushed with support of the public through media pieces portraying them as villains. It's happened a few times. I just don't see many avenues of attacking the status quo that don't involve rich well-connected supporters immune to blackmail or convincing most of the public they're slaves in the making [w/out media calling "conspiracy theory!"].

If they do it without having the records backed up somewhere else, they're plain stupid.

"they lost everything at the strike of a CEO's pen [...] Is that OK?"

Is that OK for an email provider to go bankrupt? Or have its servers seized by FBI? Customers will loose their stuff anyway.

When trusting your data to a third party you should always keep in mind the data can be lost. Always have multiple backups of important things. As for the email, it is also a problem of loosing your whatever@someprovider.com address - making all your contacts update their address book is a PITA. The big providers may be actually taken over by some other entity and the domain may be kept unchanged, but I had already seen freemail services of considerable size just going "pop"! Millions of users lost their addresses.

The smart way is to register your own domain and host the email service in whatever way you want - at home, at some freemail provider, at some paid-for provider etc. - AND MAKE BACKUPS. This way you can always move your email business elsewhere, without loosing anything but a couple of days worth of connectivity.

Indeed, I have registered my own domain during my last year at the university, because I knew I am going to loose my university email some day. After many years, I still have the same email address. On the other hand, throughout the years I had lost contact with many people (not that they were so very important people, just a bunch of colleagues and associates) just because their email address started bouncing... and most often than not, it was a freemail address.

Well, they shouldn't. Email is a communication tool, not a filing cabinet. In the case of Lavabit, it would also be a highly unpractical one because how are you going to search for some particular content when all mails in your folders are encrypted and the subject headers probably obfuscated ?

It's all about digital hygiene. My primary email address for regular communications is but a forwarder in a different domain than the mailbox that's behind it. Neither service has anything to do with the other. If for one reason or another I have to change whomever/whatever is providing that mailbox, I can do so transparantly without having to change the email address my correspondents have on file. I don't even have to change my S/MIME certificates or PGP keys. If the forwarding service is lost, it can be failed over to another one in the time it takes the modified DNS-records to propagate, unless of course the domain is seized.

Incoming mail on al my devices is retrieved over IMAPS. One machine eventually grabs them over POP/SSLTLS, at which point they are stored locally, regularly backed up and eventually archived to external storage. Nothing of value remains in the remote mailbox. Admittedly, this means losing direct access to my mail folders/archives when I'm on the road, but can still easily be mitigated as long as I can VPN into my home network (or backup location thereof). The entire philosophy here is to have nothing in the cloud except stuff that has either been sniffed in transition or retained at the provider site.

I'm not saying that this is necessarily the most secure approach or a one-size-fits-all-solution, but it's the one I personally use for non/mildly-sensitive communications. Your mileage and that of other people may vary. The point I'm trying to make, however, is that you should never rely on any external service/provider - whether in the US or somewhere else - to last you a lifetime or even give you fair warning when they are compromised, changing their T&C's or suspending operations. And this is especially so for so-called "secure services" (remember Hushmail and anon.penet.fi).

Then again, I don't expect any change anywhere soon to come from the incumbent POTUS, Corporate Congress or even the American people. It will come through the likes of James Madison, Benjamin Franklin, Thomas Jefferson and John Adams. They may still be in college today, or even loitering about like the young John Connor, but I want to believe that they are out there to one day reclaim their country for the people. Quoting from Battlestar Galactica as did some anonymous commentor in the "Rise of the Warrior Cop" thread: "All of this has happened before, and it will happen again".

People looking into using other jurisdictions to host email services should consider privacy-centered locations, locations that oppose the invasive country, and locations where influence exists.

In the past, Panama and Hong Kong were my preferable privacy jurisdictions for offshore corporations or hosting. The reason is that each showed plenty of political independence from the US in practice. They also have good privacy laws on corporations. Hong Kong has extra laws on protecting confidential data. Both countries wipe their asses with foreign subpoenas.

Note: Iceland is a promising recent example. Plenty of good examples set over there. However, they're still new at this: we don't know if US will develop effective coercion strategies in near future. Also, removing them as a high performing data haven is one oceanic cable cutting exercise away. ;)

The next jurisdiction type is one that opposes the US. China and Russia are prime candidates here. Certain Latin American countries like Venezuela and Cuba might qualify. These countries might try to spy on the data themselves. However, if the nature of the data is such that you don't care (or if they're paid not to care), then they might block court or TLA activity for you.

The final jurisdiction type is one that can be influenced. I'll illustrate this with an example. There used to be a hacking scam in the dialup days where malware would make you dial a paid 900 number for Internet instead of a local number. The service, located in Nigeria, would charge about $3 a minute. Nigerian government tended to look the other way long as they got around 20-30% of the earnings. Whether by financial or some other kind of power, having the ability to get a foreign government to ignore something can be valuable for ensuring OPSEC. (OPSEC is also usually necessary to maintain the power so it's a double benefit.)

My Old Relays

My old, basic setup used relays in different jurisdictions. You'd have mix networks bouncing messages around. The change I made would classify certain jurisdictions as non-cooperative, semi-cooperative or cooperative. A message would never move between cooperative jurisdictions: it would be one of the other two in accordance with set minimum bounce policies. The servers would also be foreign hosted/owned in a jurisdiction such as Hong Kong. So, people trying to break anonymity would have to fight a legal or hacking battle in one jurisdiction after another, increasing their own risk or headaches as they do so.

I used to have Switzerland and some others on the list. They started getting sneaky, too. So, the new scheme used encryption on any stored detail on the server. The key would be encrypted and forwarded itself along a different channel. Message traffic and control/admin traffic went on different channels. The control/admin traffic would go the best possible route to end up in the safest place. They would need those keys for their data. The servers also used RAM disks and were very forgetful of application state by design. So, now they had both message tracking and "control issues." (no pun intended)

And now

Today, there are plenty of offerings of VPS's and shared web servers with scripting available in many countries. A cross-jurisdiction mix network should be cheaper/easier than ever to set up. There might even be ways to do it parasitically off services of big providers like Facebook or Google to get the cost down to nearly free. The core servers should be a minimized version of OpenBSD or MAC-enforcing Linux. By minimized, I mean *every* unneeded feature stripped out of the system. I'd encourage the use of Bernstein's new NaCl library instead of conventional crypto libs. And, ideally, have the network send messages of fixed length at fixed intervals with all extra fields dealt with to avoid covert storage and timing channels. The result of the above should be a new private mail network better than those before it.

When will they get it. It's like why on Earth is isoHunt STILL hosted and run from the U.S.A. It's rock-fuckingly stupid, cretinous, and brainlessly moronic.

We need a web-visible FreeNet-like hosting method. That's the only way. Unenforceability coupled with plausible deniability, it's impossible to arrest a swarm of enough millions, even more so when nothing can be proven based on their swarm membership alone.

The US government hack of Hushmail, as I read about it back then, went like this. To use Hushmail one downloaded a program that authenticated ones PassPhrase, acted as an email client, and allowed one to communicate to Hushmail servers with encryption, and to encrypt all the things between the PC and Hushmail.

When the Feds told Hushmail they wanted to read the Emails. An individual was required to download an updated login/Email Client program. I am guessing the Feds also got whatever was stored on the Hushmail server for the individual.

I am guessing it was a scheme like that that the Feds wanted Lavabit to accept.

I would point out the idea others have mentioned. Without a doubt the Feds can do things with certificates. In fact, Certificates of some sites I go are shown to no longer be correct, expired and such. Which is strange for a professional organization.

In fact, Certificates of some sites I go are shown to no longer be correct, expired and such. Which is strange for a professional organization.

Err not quite stranger things have happened, Microsoft once forgot to pay it's domain name registration fees and a private individual in effect bought up microsoft.com before anyone else could...

The simple fact is the bigger the organisation the more likely it is to happen.

Look at it this way, as far as most corperate been counters are concerned all creditors "can wait 60 days for payment". Well some creditors just throw the "off switch" after 32 days without any warning other than that 6point print on the back of the original sales TOC's.

And apparently it appears to happen all the time, for one current example doing the rounds see,

Today we are launching a new mailbox provider initiative which compares favourably to what Lavabit used to do

It will turn on S/MIME for incoming emails from correspondents who do not use S/MIME, using the customer's public key. This means that a hacker getting access to the servers themselves (or the police, should they get judiciary permission to search the databases) will be unable to make sense of the contents.

It's based in Switzerland, where the Constitution itself guarantees the privacy of telecommunications

"Today we are launching a new mailbox provider initiative which compares favourably to what Lavabit used to do"

Good to hear. The more the better. But this...

"It's based in Switzerland, where the Constitution itself guarantees the privacy of telecommunications"

...doesn't carry the weight it once did. Switzerland had its own spying scandal in 1989. They've also cooperated with US on criminal cases. Maybe they'll protect the privacy, maybe they won't. Hard to tell.

Indeed. And if you take a look you'll find that we add what I think is a genuine advancement to the field, possibly unique.
We will instruct our customers to create a S/MIME configuration. The private key will stay on their computers. They will handle us a copy of the public key.
When a Mail Shield customers exchanges emails with a smart friend (like another Mail Shield user, or someone who uses S/MIME with another provider) the conversation will be encrypted end-to-end.
When a Mail Shield customers exchanges emails with a not-so-smart friend, who sends out customer an email in cleartext, our server will handle the incoming email and apply encryption automatically before storing it in its internal database.
That’s why we call it an encrypted mailbox: no matter what, 100% of the messages stored in it will be covered with strong crypto and no-one (our techies, hackers, secret service agents…) will be able to read a single bit.

Switzerland had its own spying scandal in 1989. They've also cooperated with US on criminal cases

Yup. But Schneier himself would tell you that security is never absolute, always relative. In Switzerland there were twenty cases of live wiretapping in 2012. It's unbelievably hard to convince a Swiss judge that there's a case for intruding in someone's private communications.